Vulnerability
Qualcomm Eudora Spellchecker
Affected
Qualcomm Eudora 3.x Spellchecker (Windows 95/98/NT)
Description
Following is based on Attrition's Little Errata Report Team.
Systems in dangeour are systems running Microsoft Windows 95/98
and NT, using Qualcomm's Eudora v3.x with the NAI PGP plug-in.
Unconfirmed reports that MacOS versions are similarly affected.
Qualcomm sells and distributes a Mail User Agent (MUA) package
called Eudora which supports a number of plug-in utilities, one of
which is the Network Associates (NAI) Pretty Good Privacy (PGP)
suite of tools for digital signatures and encryption. This
advisory specifically addresses a bug which exists in the
application of the Eudora spellchecking tool and its impact on
the NAI PGP plug-in for Eudora v3.x.
Qualcomm's Eudora Mail User Agent v3.x, when used in concert with
NAI's PGP plugin, exhibits a counterproductive behavior when the
user digitally signs their outgoing message. A majority of Eudora
users, upon first using Eudora, elect to have spellcheck performed
when they send their e-mail. This is all well and good, unless
the PGP plug-in (through no fault of NAI's work) is brought into
play. Upon completion of the message, the user toggles the
PGP-sign and/or the PGP-encrypt button and then elects to send
the message. It is at this point that the bug presents itself.
Rather than performing spellchecking first, Eudora invokes PGP to
sign or encrypt the message as specified, *then* invokes
spellchecking. A series of screen shots have been taken as a
proof-of-bug on this report and are available at:
http://www.attrition.org/security/advisory/attrition/attrition.1999-09-17.eudora3x.proof.html
The end result of this bug is that the user is compelled to remedy
spelling errors and otherwise inaccurate data *after* they have
digitally signed the document, thus altering the content and
invalidating the PGP signature. Eudora's spell checker goes a
step further and even attempts to "correct" the PGP signature
itself!
As most Windows users do not fully understand how PGP works, they
will likely attribute to system error any reports they receive of
Bad Signatures or unrecoverable encrypted files when they receive
complaints of their "corrected" signed and encrypted messages. It
is also highly likely that a chronic history of this sort of data
corruption will compel users to either outright dismiss Bad
Signatures as inconsequential, or they will abandon the use of
PGP encryption and signatures altogether. This unfortunate set
of circumstances defeats the use of PGP encryption and content
authentication entirely.
Solution
Qualcomm Eudora v4.x is not affected. Users are encouraged to
either switch mail user agent software, disable automatic
spellchecking, or upgrade to Eudora v4.x if they wish to continue
using the PGP plug-in for Eudora. Other alternatives include
performing spellchecks of mail in an external application before
pasting into the Eudora message body. It is NOT recommend
abandoning any use of PGP in any way. As previously stated, the
fault is not with NAI PGP.